b7ed04ebd7
Fix a bug in T1081 where the macos version of grep is wrongly expected to accept the -P flag and fix a labeling bug in T1201 where a macOS command is wrongly described as a Windows command ( #573 )
2019-09-19 05:24:00 -06:00
7f35271b8e
Generate docs from job=validate_atomics_generate_docs branch=master
2019-09-17 19:17:51 +00:00
a969a01805
Update T1089 - AMSI Bypass ( #570 )
...
With administrative rights, an adversary can remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection.
This test removes the Windows Defender provider registry key.
2019-09-17 13:17:34 -06:00
0197987d18
Added MacOS and Linux isElevated check [todo: test MacOS] ( #565 )
...
* Added MacOS and Linux isElevated check [toso: test MacOS]
* Update Invoke-AtomicTest.ps1
* Update Invoke-AtomicTest.ps1
* Update Invoke-AtomicTest.ps1
2019-09-17 13:11:19 -06:00
a226e2aa2e
Generate docs from job=validate_atomics_generate_docs branch=master
2019-09-17 19:09:17 +00:00
cb7b3f4650
Added 'Elevated group enumeration using net group' + minor titles edit ( #567 )
...
* Added 'Elevated group enumeration using net group' + minor fix
added a new atomic ( 4), and updated attack 2 name to more clearly reflect what it is doing versus the newly added atomic (which has commands more specific to high value, elevated groups, and as well simple obfuscation)
* minor syntax fix; description clarification
* further minor clarifications to description and title
2019-09-17 13:09:03 -06:00
a27c73135a
Generate docs from job=validate_atomics_generate_docs branch=master
2019-09-17 18:48:01 +00:00
16cad4ed95
Update T1089 - AMSI Bypass cleanup ( #569 )
...
Adding in a cleanup to set the amsiInitFails variable back to false
2019-09-17 12:47:31 -06:00
d6d68477ac
Generate docs from job=validate_atomics_generate_docs branch=master
2019-09-17 18:33:39 +00:00
26263baec9
New Detection - T1089 ( #568 )
...
Any easy way to bypass AMSI inspection is it patch the dll in memory setting the "amsiInitFailed" function to true. This is a simple atomic test that executes this unhooking behavior
2019-09-17 12:33:22 -06:00
1df960f3c4
Generate docs from job=validate_atomics_generate_docs branch=master
2019-09-17 16:44:59 +00:00
edc66092e3
Executor in Atomic Test #2 changed to Powershell ( #504 )
...
The specified test doesn't work in command_prompt.
2019-09-17 09:44:36 -07:00
ff779dd2fb
Generate docs from job=validate_atomics_generate_docs branch=master
2019-09-17 14:45:16 +00:00
8b855a5139
Added new atomic, 'Modify registry for password downgrade to plain text' ( #566 )
...
* Added new atomic, 'Modify registry for password downgrade to plain text'
* fixed syntax on executor
2019-09-17 08:44:55 -06:00
ac5fb215d5
Generate docs from job=validate_atomics_generate_docs branch=master
2019-09-16 15:09:00 +00:00
29a2fa0539
Added test for deletion of prefetch files (anti-forensic technique) ( #564 )
...
Details: Adding a new atomic for support on 1107, Delete a single prefetch file. Deletion of prefetch files is a known anti-forensic technique. An earlier version of this was drafted by Carrie Roberts (@clr2of8 )
Testing: atomic was tested with success by another jb on Windows 10, powershell with elevated privileges
Associated Issues: will also update the .md page; no issues known
2019-09-16 09:08:43 -06:00
c1d4e22313
update to describe new yaml elements ( #563 )
2019-09-13 15:46:09 -06:00
77d5d88189
Generate docs from job=validate_atomics_generate_docs branch=master
2019-09-13 15:42:16 +00:00
eab43d92fb
Update to T1036 ( #562 )
...
Adding in 3 new techniques realted to popular command interpreter renaming / running from non-std paths.
2019-09-13 09:42:01 -06:00
fe2539c7de
Generate docs from job=validate_atomics_generate_docs branch=master
2019-09-13 14:00:02 +00:00
971d5c2b8a
Create DLL Hijacking Test - amsi bypass ( #561 )
...
Commiting an AMSI bypass / DLL search order hijacking test.
2019-09-13 07:59:45 -06:00
3c644cc523
installer cleanup ( #560 )
2019-09-12 15:02:29 -06:00
29ad17b01d
Generate docs from job=validate_atomics_generate_docs branch=master
2019-09-07 01:37:43 +00:00
6f2d67e258
pipe command output to nul to keep things clean ( #559 )
2019-09-06 19:37:34 -06:00
30411b7db8
rename InputParameters to InputArgs ( #558 )
2019-09-06 19:36:02 -06:00
3b784d023c
readme updates/fixes ( #557 )
2019-09-06 11:28:13 -06:00
0110ceec98
pipe file creation output to out-null ( #556 )
2019-09-05 17:38:54 -06:00
06c3bb433a
fix null error when using -Cleanup and -ShowDetails ( #555 )
2019-09-05 17:37:48 -06:00
95f2a5ed6f
removing duplicate 'command' element from template ( #550 )
...
* removing duplicate 'command' element from template
* include TODO
2019-09-05 17:36:30 -06:00
91a5f29006
remove Z from Local timestamp ( #554 )
2019-09-05 16:21:09 -06:00
516855f4e7
fix bug where no log output for tests with input parameters ( #553 )
2019-09-05 15:27:39 -06:00
dbbec18625
bug fix for order of operations ( #552 )
2019-09-05 09:44:52 -06:00
ac22c95011
Generate docs from job=validate_atomics_generate_docs branch=master
2019-09-05 01:04:02 +00:00
75cfe33de9
Add GPP Password test definitions ( #551 )
...
* add gpp tests
* error handling to work with ART
* search all xml files
* add verbose output
* use default path relative to atomics folder
2019-09-04 19:03:45 -06:00
968bf887c2
fail pre-req check if elevation required but not provided ( #549 )
...
* add InputParameters example
* fail pre-req check if elevation required but not provided
* fail pre-req check if elevation required but not provided
* fail pre-req check if elevation required but not provided
2019-09-04 10:52:24 -06:00
d7f2290669
allow caller to specify non-default input parameters ( #547 )
2019-09-03 19:29:04 -06:00
4bc6eb5ca1
Generate docs from job=validate_atomics_generate_docs branch=master
2019-09-03 20:13:44 +00:00
c3dc0dc593
windows subtitle wasn't properly formatted ( #527 )
2019-09-03 14:13:34 -06:00
6e0c26b97c
Generate docs from job=validate_atomics_generate_docs branch=master
2019-09-03 20:11:38 +00:00
0859cb997a
removing descriptions of xxx (left over from template) ( #546 )
...
* removing descriptions of xxx (left over from template)
* update input param descriptions
* description update
* removing descriptions of xxx (left over from template)
2019-09-03 14:11:18 -06:00
1848f84fda
Generate docs from job=validate_atomics_generate_docs branch=master
2019-09-03 16:04:49 +00:00
ce07c60109
double quote fixes ( #545 )
2019-09-03 10:04:32 -06:00
3899ee00cf
Generate docs from job=validate_atomics_generate_docs branch=master
2019-09-03 15:31:13 +00:00
e4981743f7
Add test for T1217 that looks for bookmarks from Google Chrome browser ( #536 )
2019-09-03 09:30:58 -06:00
159697cc2e
Generate docs from job=validate_atomics_generate_docs branch=master
2019-09-03 15:21:17 +00:00
b3978a03b4
markdown fix for manual tests ( #544 )
2019-09-03 09:20:59 -06:00
84de04b082
Generate docs from job=validate_atomics_generate_docs branch=master
2019-09-03 13:37:19 +00:00
c0405724ec
move cleanup/undo commands to cleanup_command attribute ( #543 )
2019-09-03 07:37:06 -06:00
499c751bcc
Generate docs from job=validate_atomics_generate_docs branch=master
2019-09-03 13:36:10 +00:00
3da3a89cf4
markdown fix ( #541 )
2019-09-03 07:35:52 -06:00
Mike Hunter